SAN FRANCISCO -- When attackers hack into a business’ bank account and empty the account of millions of dollars, can the business sue its bank and successfully win reimbursement? Two courts in the U.S. decided such cases differently, ruling in favor of the business in one case and in favor of the bank in the other. According to a panel consisting of two attorneys, a judge and a bank representative at
Court finds multifactor authentication sufficient
In the case of Patco Construction Co. Inc. versus People’s United Bank, hackers employed the Zeus Trojan to capture answers to Patco’s bank account security challenge questions, and then used that information to log in to Patco’s bank account and transfer more than a half million dollars to the hackers’ accounts in Eastern Europe. Patco sued People’s United Bank, but the U.S. District Court in Maine ruled in favor of the bank. The court found the bank had exercised “commercially reasonable” security practices, noting the bank’s use of two-factor authentication.
The court requires banks to offer reasonable security, not the best security.
Terra Verde Services
People’s United Bank relied on a software-based device ID cookie -- a cookie the hackers had captured and used to carry out their attack. Patco argued the bank should have used a physical cookie, but this argument did not sway the court. “The court requires banks to offer reasonable security, not the best security,” said Hoyt Kesterson, senior security architect for Scottsdale, Ariz.-based Terra Verde Services.
Court looks for good faith by the bank
In the case of Experi-Metal Inc. versus Comercia Bank, the U.S. District Court for the Eastern District of Michigan also looked for commercially reasonable security by the bank in determining if the bank was liable for stolen funds. Yet in this case, the court went a step further to determine if the bank had acted in good faith when processing transactions that transferred millions of dollars from Experi-Metal’s account to a number of newly opened accounts in one weekend. The court ruled the bank had not acted in good faith and Experi-Metal was able to recover most of the lost funds from Comercia.
According to panelist John Facciola, U.S. Magistrate for the U.S. District Court for the District of Columbia, the definition of good faith in cases of this type is still unclear and may be a subjective observation made by the court.
Advice for SMB security pros
With these two different court decisions, how can security pros plan to protect their business’ financial assets? The panelists in the RSA Conference session, entitled Whose fault is it? I didn’t know it wasn’t you, offered some advice for small- and medium-size businesses that may not have enough security resources to oversee all aspects of their bank’s security processes.
Business owners are required to sign a contract with the bank when they open a commercial account, and according to Kesterson, this is the first opportunity for security pros to get involved in protecting their business. He advised security pros to add alerting requirements to the bank’s standard contract.
“Set up a plan where the bank alerts you whenever it receives a request to process a transaction of a certain level or type,” Kesterson said. “And don’t rely on text alerts, which can themselves be intercepted. Have the bank pick up the phone and call you, even if it delays the transaction.”
David Navetta, founding partner of New York-based Info Law Group, concurred. He explained that banks are generally willing to accept such modifications to their standard contract because of the competitive nature of the banking industry.
Navetta also emphasized the importance of security education for employees, noting that the attack on Experi-Metal’s account got its start from a phishing email. “Be aware of your own security because that’s where most of these cases start,” Navetta said.
Ken Baylor, vice president of antifraud for Wells Fargo Bank, reminded fellow panelists that banks are doing their best to maintain account security, but they are dependent on the security products they deploy. “Small banks rely on vendor claims as the basis for their contracts”, Baylor said.
The two cases discussed by the panel were decided by their respective courts in 2011, and security pros and attorneys are currently examining the cases as likely indicators of future court decisions.
Judge Facciola concluded the RSA panel session on a promising note for security teams. “The courts are coalescing upon a particular point of view,” Facciola said. “The trend may very well point in favor of liability of the banks.”
View all of our RSA 2012 Conference coverage.